Detections
Analytics

2.1.15 (L1) Ensure outbound anti-spam message limits are in place

Information

The default outbound anti-spam policy in Microsoft Defender automatically applies to all users and is designed to detect and limit suspicious email-sending behavior. The policy enforces limits based on both volume and spam detection. If a user sends too many emails too quickly or if a high percentage of their messages are flagged as spam, their ability to send email can be temporarily restricted. This helps prevent abuse from compromised accounts or inadvertent spam campaigns.

When these limits are exceeded, Microsoft routes the messages through a high-risk delivery pool to protect its IP reputation and notifies administrators through built-in alert policies.

The recommended state is:

 - External: Restrict sending to external recipients (per hour) - 500
 - Internal: Restrict sending to internal recipients (per hour) - 1000
 - Daily: Maximum recipient limit per day - 1000
 - Action: Over limit action - Restrict the user from sending mail

Message limit settings help lessen the impact of a Business Email Compromise (BEC) by automatically restricting accounts that send unusually high volumes of email. This containment prevents compromised accounts from launching large-scale attacks and helps ensure the organization's email remains trusted and deliverable. Without these limits, excessive or suspicious outbound traffic could result in Microsoft blocking the organization's email, disrupting communication and damaging reputation.

Solution

To remediate using the UI:

 - Navigate to Microsoft 365 Defender https://security.microsoft.com.
 - Click to expand Email & collaboration select Policies & rules > Threat policies.
 - Under Policies select Anti-spam and click to open Anti-spam outbound policy (Default).
 - Select Edit protection settings.
 - Set the following settings to the recommended values, or more restrictive values.
 - External: Set an external message limit - 500
 - Internal: Set an internal message limit - 1000
 - Daily: Set a daily message limit - 1000
 - Action: Restriction placed on users who reach the message limit - Restrict the user from sending mail

 - Ensure Notify these users and groups if a sender is blocked due to sending outbound spam contains a monitored mailbox.

To remediate using PowerShell:

 - Connect to Exchange Online using Connect-ExchangeOnline.
 - Change the example email addresses below and run the following PowerShell commands:

$params = @{
 RecipientLimitExternalPerHour = 500
 RecipientLimitInternalPerHour = 1000
 RecipientLimitPerDay = 1000
 ActionWhenThresholdReached = 'BlockUser'
 NotifyOutboundSpamRecipients = @('[email protected]','[email protected]')
}

Set-HostedOutboundSpamFilterPolicy -Identity 'Default' @params

Impact:

Enforcing message limits may result in legitimate users being temporarily blocked from sending email if their bulk messaging activity resembles spam or exceeds volume thresholds. This can disrupt business operations, delay communication, and require administrative effort to investigate and restore access. However, these adverse effects typically stem from a lack of planning around mass mailings. To avoid triggering these limits, Microsoft recommends sending bulk email through custom subdomains or third-party bulk email providers.

See Also

https://workbench.cisecurity.org/benchmarks/24619

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, 800-53|SI-8, 800-53|SI-16

Plugin: microsoft_azure

Control ID: 5482c12e8f95d21174d176f8c3e249b0c891748d63451fa2203a52ecfaba290f